Network Virtualization For Dummies Vmware 3Rd Special Edition Varun Santosh Full Chapter

Network Virtualization For Dummies®,
VMware 3rd Special Edition Varun

Santosh
Visit to download the full and correct content document:
https://ebookmass.com/product/network-virtualization-for-dummies-vmware-3rd-speci
al-edition-varun-santosh/
These materials are © 2021 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Network
Virtualization
VMware 3rd Special Edition
by Varun Santosh
and Stijn Vanveerdeghem
Network Virtualization For Dummies®, VMware
3rd Special Edition
Published by
John Wiley & Sons, Inc.
111 River St.
Hoboken, NJ 07030-5774
www.wiley.com
Copyright © 2021 by John Wiley & Sons, Inc., Hoboken, New Jersey
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any
form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise,
except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without
the prior written permission of the Publisher. Requests to the Publisher for permission should be
addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ
07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Trademarks: Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com,
Making Everything Easier, and related trade dress are trademarks or registered trademarks of John
Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be
used without written permission. All other trademarks are the property of their respective owners.
John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO

REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF
THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING
WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY
MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE
AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS
WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN
RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL
ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE
SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING
HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK
AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN
THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION
OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS
SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR
DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.
ISBN 978-1-119-73684-4 (pbk); ISBN 978-1-119-73682-0 (ebk)
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
For general information on our other products and services, or how to create a custom For
Dummies book for your business or organization, please contact our Business Development
Department in the U.S. at 877-409-4177, contact [email protected], or visit www.wiley.com/go/
custompub. For information about licensing the For Dummies brand for products or services,
contact BrandedRights&[email protected].
Publisher’s Acknowledgments
Some of the people who helped bring this book to market include the
following:
Project Editor: Elizabeth Kuball Business Development
Acquisitions Editor: Ashley Coffey Representative: Karen Hattan
Editorial Manager: Rev Mengle Production Editor: Siddique Shaik

Special Help: Faithe Wempen
Table of Contents
INTRODUCTION................................................................................................ 1
About This Book.................................................................................... 1
Foolish Assumptions............................................................................. 2
Icons Used in This Book........................................................................ 2
Where to Go from Here........................................................................ 2
CHAPTER 1: Evolving to a Modern Network......................................... 3

How Network Virtualization Is Changing Everything........................ 4
Today’s Networking and Security Challenges.................................... 5
Businesses need speed................................................................... 5
Security requirements are rising................................................... 5
Apps and data are in multiple clouds............................................ 6
Why Hardware-Based Networks Can’t Keep Up................................ 7
Physical network provisioning is slow........................................... 7
Workload placement and mobility are limited............................. 8
Hardware limitations and lock-ins breed complexity
and rigidity........................................................................................ 8
Configuration processes are manual, slow, and
error-prone....................................................................................... 9
Operational and capital expenditures are too high.................. 10
You can’t leverage hybrid cloud resources................................. 11
Traditional firewalls aren’t adequate........................................... 11
CHAPTER 2: Virtualizing the Network...................................................... 15

Understanding How Network Virtualization Works........................ 15
Differentiating Between Network Virtualization and
Software-Defined Networking........................................................... 19
Comparing Virtual Appliances to Network Virtualization............... 20
Understanding Why the Time Is Right for Network
Virtualization........................................................................................ 20
Meeting the demands of a dynamic business........................... 21
Increasing flexibility with hardware abstraction........................ 21
Redefining security with micro-segmentation........................... 21
Rethinking the Network...................................................................... 24
Table of Contents iii
CHAPTER 3: Transforming the Network................................................ 25
Understanding the Key Functionalities of a Virtualized
Network................................................................................................ 25
Overlay networks........................................................................... 25
Comparing GENEVE and VXLAN................................................... 27
Understanding Virtual Network Functions....................................... 29
The Big Payoff...................................................................................... 30
Meeting the VMware NSX Data Center............................................. 30
NSX Data Center architecture...................................................... 31
Integration with existing network infrastructure....................... 31
Simplified networking................................................................... 31
Broader networking and security capabilities............................ 32
Exploring Key NSX Capabilities.......................................................... 32
Everything in software................................................................... 33
Essential isolation, segmentation, and advanced
security services............................................................................. 34
Performance and scale................................................................. 34
Unparalleled network visibility..................................................... 35
Identifying the Key Benefits of VMware NSX Data Center............. 36
Functional benefits........................................................................ 36
Economic benefits......................................................................... 37
CHAPTER 4: Exploring Network Virtualization Use Cases....... 39

Securing the Data Center................................................................... 40
Security at the granularity of a workload and the
scale of the enterprise................................................................... 41
VMware Service-defined Firewall................................................. 42
Taking a phased approach to securing a data center............... 49
Securing user environments: Micro-segmentation for VDI...... 50
Multi-Cloud Networking..................................................................... 53
Managing hybrid cloud environments........................................ 54
Disaster recovery and metro pooling.......................................... 54
Consistent security policy and visibility....................................... 55
Workload mobility between clouds............................................. 55
Networking Modern Applications..................................................... 56
Automating the Network.................................................................... 57
Network automation..................................................................... 57
Developer cloud............................................................................. 57
iv Network Virtualization For Dummies, VMware 3rd Special Edition
CHAPTER 5: Operationalizing Network Virtualization............... 59
Investigating Operations Investment Areas..................................... 60
People and processes................................................................... 60
Processes and tooling................................................................... 61
Looking at Some Examples................................................................ 63
Provisioning and configuration management............................ 63
Incident and capacity management............................................ 64
Micro-segmentation...................................................................... 64
Developing the Right Mindset........................................................... 65
Focusing on the Big Picture................................................................ 66
CHAPTER 6: Ten (Or So) Ways to Get Started with

Network Virtualization.......................................................... 67
Boning Up on the Basics..................................................................... 67
Taking a Deeper Dive.......................................................................... 68
Taking an NSX Data Center Test Drive with Hands-On Labs......... 69
Gaining Visibility.................................................................................. 70
Deploying NSX in Your Environment................................................ 70
Deploying NSX Data Center on Your Existing Network
Infrastructure....................................................................................... 72
Integrating with Your Networking Services Ecosystem
Partners................................................................................................ 72
Table of Contents v
Introduction
P
erhaps you’ve heard some talk about network virtualization,
and wondered what it was all about. How can something
physical, like network hardware, become something entirely
existing in software? And how does it change the way networks
operate and IT professionals do their jobs?
Welcome to Network Virtualization For Dummies, your guide to a

new and greatly improved approach to networking and security.
This book teaches you the basics of virtualization and explains
how it can help a business save money, run faster, and be more
secure.
Keeping up with modern business’s expectations is a tall order for

any network. A network needs to be
»» Agile and configurable enough to move as fast as the

business itself
»» Smarter and faster than the cybercriminals who are always
looking for a way in
»» Flexible enough to enable users to run applications and
access data from anywhere in the world
Network virtualization can help your company realize all those

goals and more.
About This Book

Don’t let the small footprint fool you. This book is loaded with
information that can help you understand and capitalize on net-
work virtualization. In plain and simple language, we explain
what network virtualization is, why it’s such a hot topic, how you
can get started, and steps you can take to get the best bang for
your IT buck.
Introduction 1
Foolish Assumptions
In writing this book, we’ve made some assumptions about you.
We assume that
»» You work in IT, cloud, application pipelines, or a related role

that involves some level of networking.
»» You’re familiar with network terminology.
»» You understand the concept of virtualization.
Icons Used in This Book

To make it even easier to navigate to the most useful information,
these icons highlight key text:
Take careful note of these key “takeaway” points.
Read these optional passages if you crave a more technical

explanation.
Follow the target for tips that can save you time and effort.
Anything marked with this icon will save you a load of trouble (or
worse).
Where to Go from Here

The book is written as a reference guide, so you can read it from
cover to cover or jump straight to the topics you’re most inter-
ested in. Whichever way you choose, you can’t go wrong. Both
paths lead to the same outcome: a better understanding of net-
work virtualization and how it can help you increase security,
agility, and multi-cloud flexibility.
2 Network Virtualization For Dummies, VMware 3rd Special Edition
IN THIS CHAPTER
»» Exploring today’s networking and
security challenges
»» Building the case for network

virtualization
»» Introducing the virtual cloud network
Chapter 1
Evolving to a Modern
Network
W
hy should you care about network virtualization? Why
are organizations increasingly adopting virtualization
technologies? This chapter explores several challenges
that point to a single overarching need: Organizations want to
deliver public cloud-like agility, flexibility, efficiency, and reli-
ability with their private-cloud infrastructure. Here’s why:
»» To stay competitive, businesses need agility to speed up time

to market.
»» Companies face increasingly heterogenous infrastructures,
from the edge to branch offices to core data centers and the
cloud.
»» Legacy network architectures limit business agility, leave
security threats unchecked, and drive up costs.
»» Using dedicated hardware for each network function
prohibits an agile, scalable approach.
CHAPTER 1 Evolving to a Modern Network 3
How Network Virtualization Is
Changing Everything
Network virtualization is rewriting the rules for the way ser-
vices are delivered. It decouples networking and security services
from underlying network hardware by creating logical virtual
networks. Organizations are taking a full-stack layer 2 to layer
7 approach with network virtualization, delivering services like
virtual switching and routing, firewalling, and load balancing that
are built into the infrastructure. Armed with this ability to define
and consume the network in software, organizations can centrally
provision the network on-demand while simplifying configura-
tion and improving scale and resource efficiency. This approach
transforms the networks from static, inflexible, and inefficient to
dynamic, agile, and optimized.
In this new world, infrastructure intelligence moves from hard-

ware to software. Data center infrastructure elements — including
compute, networking, and storage — are virtualized and grouped
into pools of resources that can then be automatically deployed
with little or no human involvement. Everything is flexible and
automated through software. The virtual cloud network extends
these concepts beyond the data center, to wherever applications
and data reside.
With network virtualization enabling the software-defined data

center (SDDC), you can forget about spending days or weeks pro-
visioning the infrastructure to support a new application. You can
now deploy or update apps in minutes, for rapid time to value.
This book has a particular focus on how network virtualization
enables the SDDC, while also touching on how it lays the founda-
tion for the virtual cloud network — a network model that extends
network virtualization across clouds, apps, and endpoints.
According to the Flexera 2020 State of the Cloud Report, enterprises

continue to scale their multi-cloud strategies, with 87 percent of
organizations having a hybrid cloud strategy. Similarly, according
to the annual CNCF Survey 2019, the use of containers for user-facing
applications increased significantly, with 84 percent of respon-
dents using containers in production, up more than 15 percent
from 2018. Network virtualization is playing a central role in
simplifying connectivity and security in these heterogenous
environments, enabling organizations to build and deploy these
applications faster.
Today’s Networking and Security
Challenges
That all sounds pretty good, doesn’t it? But there are quite a few
technical details to work out between here and there. We’ll kick
things off by looking at some of the networking and IT challenges
companies face today. Upcoming chapters explain how network
virtualization can help solve many of them.
Businesses need speed

Organizations of all sizes are experiencing a rapid increase in
the pace of change. Everything needed to be done yesterday —
new innovations and feature delivery, competitive responses,
and projects critical to the organization. This new reality has big
implications for the network.
When a business wants to wow its customers with a new app, roll
out a promotion, or take a new route to market, it needs the sup-
porting IT services right away — not in weeks or even days. In
today’s world, you either go for it or miss out. We’re in the era of
the incredible shrinking window of opportunity.
When the business turns to the IT organization for essential ser-

vices, it wants to hear, “We’ll get it done. We’ll have it up and
running right away.” And increasingly, the business wants to not
even have to ask IT.
Security requirements are rising

Everyone knows we need to do more to avoid costly breaches
that put sensitive information into the hands of cybercriminals.
No company is immune to the threat. Just consider some of the
headline-grabbing security breaches of the past few years —
breaches that have brought corporate giants to their knees. Major
brands, from healthcare and investment banking to retail and
entertainment, have been tarnished after letting down their cus-
tomers. All companies are now caught up in the same costly battle
to defend critical data.
It’s like one big war game. A company fortifies its data center
with a tough new firewall, and the cybercriminals slip in through
a previously unknown back door — like a simple vulnerability in
a client system — and run wild in the data center. The traditional
strategy of defending the perimeter needs to be updated to include
much more protection inside the data center. Vulnerabilities in
applications are the primary targets of attackers ranging from
cybercriminals to nation-state actors. Traditional firewalls alone
are inadequate to protect against attacks that come in through
valid channels, such as legitimately open ports. Examples of this
type of attack include SQL injections and wormable ransomware
leveraging exploits such as EternalBlue to laterally spread across
vulnerable Server Message Block (SMB) servers within the data
center.
Organizations are building security into the software develop-

ment life cycle, but that has by no means eliminated unsecure
code and vulnerable software. Fixing vulnerabilities after appli-
cations have been deployed is costly and leads to downtime. So,
network security should be applied as close to the application as
possible and the life cycle of a security policy should be directly
tied to the life cycle of the application.
Apps and data are in multiple clouds

There is no longer a simple answer for where apps are running
and where the data resides. Some apps start in the cloud where
some developers begin to code and test. Many companies find that
certain apps are best run in the private data center, both for cost
efficiencies and private control. Many other organizations have
moved apps away from their original deployment location —
from the private data center to the public cloud to delegate
management, or from the public cloud to the private data center
to rein in public-cloud costs or to take advantage of new private-
cloud consumption models. Today’s organizations realize that
they need to rely on multiple environments.
The rise of server virtualization has made a lot of great things

possible around application mobility, but there has been a catch:
the network. It’s like a hitch in your giddyup, to borrow some
words from the cowboys of old. The network configuration is
tied to hardware, so even if apps can move with relative ease, the
hardwired networking connections hold them back.
Networking services also tend to be very different from one data

center or cloud to another. That means you need a lot of cus-
tomization to make your apps work in different network envi-
ronments. That’s a major barrier to app mobility — and another
argument for using virtualization to transform the network.
Why Hardware-Based Networks
Can’t Keep Up
The SDDC is the most agile and responsive architecture for the
modern data center. It’s achieved by moving intelligence into
software for all infrastructure elements. Here’s a summary of
where things are today:
»» Most data centers now leverage server virtualization for the

best compute efficiency. Check!
»» Many data centers now optimize their storage environments
through virtualization. Check!
»» Organizations have virtualized their network environments
within the data center and across clouds. A lot of progress has
been made! But the potential to do more remains enormous.
Although many businesses are capitalizing on server and stor-

age virtualization, they’re still challenged by legacy network
infrastructure that revolves around hardware-centric, manu-
ally provisioned approaches that have been around since the first
generation of data centers.
In the following sections, we walk through some of the specific

challenges of legacy architectures.
Physical network provisioning is slow

Some network provisioning processes can be scripted — and cer-
tain software-defined networking (SDN) models promise to make
this a reality. However, with hardware-based systems, there is no
automatic linkage to compute or storage virtualization. As a result,
there is no way to automatically provision networking when the
associated compute and storage is created, moved, snapshotted,
deleted, or cloned. Therefore, network provisioning remains slow,
despite the use of automated tools.
All the while, the thing that matters the most to the business —
getting new apps ready for action — is subject to frequent delays
caused by the slow, error-prone, manual processes used to provi-
sion network services.
This is all rather ironic when you take a step back and consider
the bigger picture. The limitations of legacy networks tie today’s
dynamic virtual world back to inflexible, dedicated hardware.
Server and storage infrastructure that should be rapidly repur-
posed must wait for the network to catch up. Provisioning then
becomes one big hurry-up-and-wait game.
Workload placement and mobility

are limited
In today’s fast-moving business environments, apps need to have
legs. They need to move freely from one place to another. This
may mean replication to an off-site backup-and-recovery data
center, movement from one part of the corporate data center to
another, or migration into and out of a cloud environment.
Server and storage virtualization makes this kind of mobility

possible, but network hardware can interfere with that. When
it comes to app mobility, today’s hardwired network silos rob
apps of their running shoes. Workloads, even those in virtual
machines, are tethered to physical network hardware and topolo-
gies. To complicate matters, different data centers have different
approaches to networking services, so it can take a lot of heavy
lifting to configure an app running in data center A for optimal
performance in data center B.
All of this limits workload placement and app mobility and makes
change not just difficult but risky. It’s always easiest — and
safest — to simply leave things just the way they are.
The current hardware-centric approach to networking restricts

workload mobility to individual physical subnets and availability
zones. To reach available compute resources in the data center,
your network operators may be forced to perform box-by-box
configuration of switching, routing, firewall rules, load-balancing
services, and so on. Not only is this process slow and complex, but
it will eventually reach scalability limits.
Hardware limitations and lock-ins

breed complexity and rigidity
The current closed black-box approach to networking — with
custom operating systems, application-specific integrated cir-
cuits (ASICs), command-line interfaces (CLIs), and dedicated
management software — complicates operations and limits
agility. This old approach doesn’t consider the dynamic nature of
today’s applications, and it locks you in — and not just with the
vendor. It locks you into the complexities of your current network
architecture, limiting your IT team’s ability to adapt and inno-
vate. This, in turn, puts the same limits on the business itself,
because the business can move no faster than IT can move.
In its 2018 report called Look Beyond Network Vendors for Network
Innovation, Gartner says that, as its clients are going through digital
transformation, their network teams “must deliver data center net-
work infrastructure rapidly and on-demand.” Moreover, Gartner is
seeing that the data center network is one of the biggest challenges
for its clients (based on more than 3,000 inquiries and audience
polling in 2017).
Here are some rather telling findings from the same report:
»» Data center network requests commonly take days to fulfill.

»» The number of active ports supported per local area network
(LAN) full-time equivalent (FTE) has actually gotten less
efficient over time by more than 10 percent — from 3,412
ports per FTE in 2013 to only 2,933 ports per FTE in 2016.
Configuration processes are manual,

slow, and error-prone
On a day-to-day basis, physical networks force your network
team to perform a lot of repetitive, manual tasks — many of
which are discouraged or require approvals given the implica-
tions of a mistake. If a line of business or a department requests a
new application or service, you need to create VLANs, map VLANs
across switches and uplinks, create port groups, update service
profiles, and so on.
Certain SDN models hope to help here by allowing programmati-

cally controlled hardware, but this still leaves you with a lot of
heavy lifting. For instance, you still need to build multiple identi-
cal physical network stacks to support your development, test,
and production teams, and you still lack the ability to deploy your
(hardware-based) network in lockstep with your virtualized com-
pute and storage.
A high price tag is associated with all of this. As Andrew Lerner,
a Gartner research director, noted, “Configuration and change
management of networking gear remains primarily a labor-
intensive, manual process. These suboptimal network practices
result in downtime, reduce security, degrade application perfor-
mance, and waste human and capital resources.”
Clearly, there’s a better way forward: network automation. As

Network World noted in a 2018 article, “Network automation is
helping enterprises scale up and cut down on their costs expo-
nentially, giving them the bandwidth needed to focus on strategy
and innovation.”
Operational and capital expenditures

are too high
The limitations of legacy network architectures are driving up
data center costs, in terms of both operational expenditures
(OpEx) and capital expenditures (CapEx).
OpEx
The heavy use of manual processes drives up the cost of network
operations. Just consider all the labor-intensive manual tasks
required to configure, provision, and manage a physical network.
Now multiply the effort of these tasks across all the environments
you need to support: development, testing, staging, and produc-
tion; differing departmental networks; differing application envi-
ronments; primary and recovery sites; and so on. Tasks that may
be completed in minutes with automated processes — or even
instantaneously with automatic deployment of networks — take
hours, days, or weeks in a manual world.
And then there are the hidden costs that come with manually
introduced configuration errors. One mistake can cause a critical
connectivity issue or outage that impacts the business.
CapEx
On the CapEx side, legacy network architectures require your
organization to invest in stand-alone solutions for many of the
networking and security functions that are fundamental to data
center operations, including routing, switching, firewalling, ana-
lytics, and load balancing. Providing these functions everywhere
they’re needed comes with a hefty price tag.
There is also the issue of the need to overprovision hardware to be

sure you can meet peak demands and the need to deploy active–
passive configurations. In effect, you need to buy twice the hard-
ware for high availability — and sometimes much more.
And then there is the cost of forklift upgrades. To take advantage

of the latest innovations in networking technology, network oper-
ators often have to rip and replace legacy gear, with most orga-
nizations on a three- to five-year refresh cycle. Legacy network
architectures rooted in hardware also require overprovisioning
to account for spikes in usage. The inability of hardware-based
networks to scale automatically based on demand requires this
inefficiency. And up goes the costs of networking.
You can’t leverage hybrid

cloud resources
The public-cloud model has proven that applications and services
can be provisioned on-demand. Enterprises everywhere would like
to enjoy the same level of speed and agility. With that thought in
mind, forward-looking executives have envisioned using hybrid
clouds for all kinds of use cases, from data storage and disaster
recovery to software development and testing.
But, once again, there is a network-related catch: In their quest to

move to the cloud, enterprises are hampered by vendor-specific
network hardware and physical topology. These constraints that
come with legacy data center architectures can make it difficult
to implement hybrid clouds. Hybrid clouds depend on a seam-
less extension of the on-premises data center to a public-cloud
resource, and how do you achieve this when you can’t control
the public-cloud network to mirror your hardware networking
systems?
Traditional firewalls aren’t adequate

Many of the widely publicized cyberattacks of recent years share
a common characteristic: Once inside the data center perimeter,
malicious code moved from server to server, where sensitive data
was collected and sent off to cybercriminals. These cases high-
light a weakness of today’s data centers: They have limited net-
work security controls to stop attacks from spreading inside the
data center.
Perimeter firewalls are pretty good at stopping many attacks, but

not all of them. As recent attacks have shown, threats are still
slipping into the data center through legitimate access points.
Once inside, often there is nothing in place to prevent them from
spreading within the data center. This problem has been a tough
one to solve because of the realities of physical network archi-
tectures. Put simply, with legacy networking systems, providing
firewalling for traffic between all workloads inside the data center
is too costly.
Using a traditional hardware firewall as an internal firewall in the

data center requires hairpinning. Traffic needs to be sent up from
a workload on the hypervisor across the network, across racks to
a physical firewall, and then back again, even if both the source
and the destination reside on the same hypervisor.
Even more important, inserting a traditional firewall into an exist-

ing brownfield environment requires significant re-architecture,
not just of the network itself but, more critically, of the applica-
tions. Many customers start with a perimeter firewall protecting
the demilitarized zone (DMZ) from the outside and the internal
network from the DMZ. As organizations grow, they realize that
they need to segment that internal network. Doing this with a
traditional firewall means that application IP addresses would
need to be reassigned. It also results in segmentation that is very
rigid and limited to network constructs and VLANs.
Having a firewall policy that relies on IP addresses and ports leads

to delays, forcing customers to adopt very coarse security policies
that often become stale and remain in place long after an applica-
tion has been decommissioned.
As new applications are brought up and legacy applications are

decomissioned, firewall policies need to be updated very fre-
quently, and the policies consist of much larger rule sets than
at the perimeter. Traditional firewalls don’t have the software-
defined architecture that enables them to scale with the massive
amount of traffic, large rule bases, and constant policy updates
that are required on the internal network.
To stay competitive, businesses need to move fast, yet their

networks don’t have the agility they need. Antiquated network
architectures are blocking the road to the SDDC and virtual cloud
network. Legacy network architectures limit business agil-
ity, leave security threats unchecked, and drive up costs. These
themes point to a single overarching need: It’s time to move out
of the hardwired past and into the era of the virtualized network.
IN THIS CHAPTER
»» Explaining the basics of network
virtualization
»» Comparing network virtualization and

software-defined networking
»» Looking at the differences between

virtual appliances and virtual layer
integration
»» Seeing why now is the time for network

virtualization
»» Thinking of the network in new ways
Chapter 2
Virtualizing the Network
I
n this chapter, we dive into the concept of network
virtualization — what it is, how it differs from other approaches
to the network, and why the time is right for this new approach.
To put things in perspective, let’s begin with a little background

on network virtualization, the state of today’s networks, and how
we got to this point.
Understanding How Network

Virtualization Works
Network virtualization makes it possible to programmatically
create, provision, and manage networks completely within soft-
ware, while continuing to leverage the underlying physical net-
work as the packet-forwarding backplane. Network and security
services in software are distributed to a virtual layer (hypervi-
sors in the data center). They’re attached to individual workloads,
such as virtual machines (VMs) or containers, in accordance
with networking and security policies defined for each connected
CHAPTER 2 Virtualizing the Network 15
application. When a workload is moved to another host, its net-
working and security services move with it. And when new work-
loads are created to scale an application, the necessary policies are
dynamically applied to those as well.
Just as a VM or a container is a software construct that presents

logical services to an application, a virtual network is a software
construct that presents logical network services — switching,
routing, firewalling, load balancing, virtual private networks
(VPNs), and more — to connected workloads. These network and
security services are delivered in software and require only Inter-
net Protocol (IP) packet forwarding from the underlying physical
network. The workloads themselves are connected via the logical
network, implemented by overlay networking. This enables the
entire network to be created in software (see Figure 2-1).
FIGURE 2-1: Compute and network virtualization.
Network virtualization coordinates the virtual switches across

the various environments (such as hypervisors and clouds) along
with the network services (such as firewalling and load balancing)
to effectively deliver a networking platform and create dynamic
virtual networks.
Another advantage of network virtualization is that you can pro-

vision network resources and services through a number of inter-
faces. One set of options makes use of the native user interfaces
such as the native graphical user interface (GUI) and command-
line interface (CLI). Another approach leverages the application
programming interface (API) to script or bake in homegrown tools.
New application frameworks like Kubernetes integrate with net-
work virtualization so networking services are created as new
apps, pods, and containers. Another way to provision virtual net-
works uses a cloud management platform (CMP) such as Open-
Stack or VMware vRealize Automation to request a virtual network
and the appropriate security services for new workloads. In each
case, the controller distributes the necessary network services to
the corresponding virtual switches and logically attaches them to
the corresponding workloads (see Figure 2-2).
FIGURE 2-2: Virtual network provisioning.
This flexibility not only allows different virtual networks to be

associated with different workloads in the same environment
(such as cluster, pod, hypervisor, application instance, and vir-
tual private cloud [VPC]), but it also enables the creation of every-
thing from basic virtual networks involving as few as two nodes to
very advanced constructs that match the complex, multi-segment
network topologies used to deliver multitier applications.
To connected workloads, a virtual network looks and operates like

a traditional physical network. Workloads see the same layer 2
through layer 7 network services that they would in a traditional
physical configuration. It’s just that these network services are
now logical instances of distributed software modules running in
software on the local host and applied at the virtual interface of
the virtual switch.
To the physical network, a virtual network looks and operates

like a traditional physical network (see Figure 2-3). The physical
network sees the same layer 2 network frames that it would in
a traditional physical network. The virtualized workload sends a
standard layer 2 network frame that is encapsulated at the source
hypervisor with additional IP, user datagram protocol (UDP), and
logical network overlay headers (for example, virtual extensi-
ble local area network [VXLAN] or generic network virtualization
encapsulation [GENEVE]). The physical network forwards the
frame as a standard layer 2 network frame, and the destination
environment (for example, hypervisor, container platform, cloud)
decapsulates the headers and delivers the original layer 2 frame to
the destination workload (for example, VM or container).
FIGURE 2-3: The virtual network, from the network’s perspective (physical).
The ability to apply and enforce security services at the virtual

interface of the virtual switch also eliminates hairpinning in
situations where east–west traffic between two endpoints on the
same physical host but in different subnets must traverse the net-
work to reach essential services such as routing and firewalling.
Differentiating Between Network
Virtualization and Software-Defined
Networking
Network virtualization may sound a lot like software-defined
networking (SDN), so what’s the difference? Let’s look at these
two concepts.
Software-defined networking makes the network more agile by

defining networking constructs in software. In this regard, net-
work virtualization and SDN are similar.
How SDN manifests varies widely. In some instances, the goal is

to manage physical network device configuration. In others, it’s
about broadly orchestrating the network services by tying mul-
tiple systems together via application programming interfaces
(APIs) — some software, some hardware. In many cases, hard-
ware remains the driving force for the network, which gets away
from the original goal.
Network virtualization has a more specific definition. It com-

pletely decouples network resources from the underlying hard-
ware, with networking components and functions replicated in
software. Virtualization principles are applied to physical network
infrastructure to create a flexible pool of transport capacity that
can be allocated, used, and repurposed on-demand.
With your networking resources decoupled from the physical

infrastructure, you basically don’t have to touch the underlying
hardware when adding or updating applications, regardless of
the networking services they require. Endpoints can move from
one logical domain to another without anyone having to recon-
figure the network or wire up domain connections. You imple-
ment network virtualization in a virtual layer within the compute
domain — close to the application — rather than on network
switches. As noted earlier, the physical network, very critical still,
serves as a packet-forwarding backplane but is not required to
change with each application change.
Comparing Virtual Appliances to
Network Virtualization
Virtual appliances are usually designed to deliver the function-
ality of a single network function, such as a router, a wide area
network (WAN) accelerator, or a network firewall, but in the form
factor of a dedicated VM.
Though they meet targeted needs, virtual appliances have some

different characteristics from a broader network virtualization
approach. For starters, virtual appliances run as guests on top of
a hypervisor, which limits performance. They also introduce the
challenge of virtual appliance sprawl. Because of the limited per-
formance of the devices, you may end up having to deploy tens,
hundreds, or even thousands of virtual appliances to reach the
scale of the full data center. This presents capital expenditure
(CapEx) barriers, as well as operational challenges.
Network virtualization integrated all networking functions into

a comprehensive virtual network layer that includes an orches-
tration (or controller) mechanism and deep integration with the
virtual compute layer (for example, hypervisor, container orches-
tration, or cloud). This more sophisticated approach allows the
network and the full range of its functions to follow VMs as they
move from one server to another. There’s no need to reconfigure
any network connections, because those are all in software. Basi-
cally, the network can go anywhere that is virtualized.
Understanding Why the Time Is Right

for Network Virtualization
People have been talking about network virtualization for years.
It’s time to let the rubber meet the road — to meet pressing needs
in today’s applications.
Here are some of the reasons why the time is right for network
virtualization.
Meeting the demands of a
dynamic business
Simply put, software moves faster than hardware. It’s far easier
to deploy services, make changes, and roll back to previous ver-
sions when the network is all in software. Today’s businesses
have constantly changing requirements, which puts increasing
demands on IT to be able to support these changes. When the
network environment is run purely in software, it’s much more
flexible in adapting to changes, making it possible for IT organi-
zations to meet business demands more effectively.
Increasing flexibility with

hardware abstraction
Network virtualization moves intelligence from dedicated hard-
ware to flexible software that increases IT and business agility.
This concept is known as abstraction. To explain this concept, let’s
start in the well-established world of server virtualization.
With server virtualization, an abstraction layer, or hypervisor,

reproduces the attributes of the physical server — central pro-
cessing unit (CPU), random access memory (RAM), disk, and
so on — in software. Abstraction allows these attributes to be
assembled on the fly to produce a unique VM.
Network virtualization works the same way. With network vir-

tualization, the functional equivalent of a “network hypervisor”
reproduces networking services — such as switching, routing,
access control, firewalling, quality of service (QoS), and load
balancing — in software. With everything in software, virtualized
services can be assembled in any combination to produce a unique
virtual network in a matter of seconds.
This level of agility is one of the big benefits of the software-

defined data center (SDDC), extending to the virtual cloud net-
work, and one of the big arguments for network virtualization.
Redefining security with

micro-segmentation
Network security has traditionally been built around unchanging
network topology. Back in the day, applications were static and
typically confined to one environment. Organizations achieved a
degree of segmentation by using a network-based security policy
with a firewall filtering traffic crossing a VLAN.
Today however, the reality is different. Applications are deployed

across hybrid environments, so they may not be fully visible to the
infrastructure administrator tasked with ensuring proper applica-
tion security enforcement. At the same time, automation-driven
application deployment models and continuously changing appli-
cations have resulted in infrastructure and security teams having
to continuously redefine networking and security configuration.
All too often, infrastructure teams and application owners/

developers don’t speak the same language. Application owners
lack proper tools to effectively determine and communicate net-
working and security requirements for applications they develop,
leading to long delays in application rollouts and sometimes
incorrectly configured policies.
With applications continuously changing and moving across

hybrid clouds, a security policy based on static constructs like
VLANs or subnets is inadequate and hard to maintain, and leads
to an ever-expanding set of firewall rules even long after applica-
tions have been decommissioned.
An attacker’s initial target is almost never his ultimate objective.

After an attacker has gained access, lateral movement is frequently
an intermediary step along the way to the crown jewels. A firewall
deployed between network segments has no means of controlling
or even providing visibility of lateral spread within a segment.
All these challenges lead to operational inefficiencies and unmiti-

gated risk, making the jobs of both application owners and infra-
structure administrators increasingly difficult.
The NSX Service — defined Firewall enables all levels of segmen-

tation independent of the network. This includes, for example,
segmenting development and production workloads, or micro-
segmenting the intra-application flows, without having to make
any changes to the existing network architecture.
The distributed firewall logically sits at the virtual network inter-

face card (vNIC) of every workload. There is no need for any
hairpinning of traffic to a traditional firewall appliance, as the
distributed firewall takes action before the traffic even hits the
network. This distributed architecture also means the Service-
defined Firewall provides absolute coverage, with the ability to
filter traffic from every workload to every other workload. The
distributed firewall scales linearly with the workloads. As your
organization grows and you deploy additional workload and
hypervisors, you get additional firewall capacity, with line-rate
throughput at every hypervisor. Network re-architecture and re-
IPing are not required.
NSX Intelligence provides distributed visibility and analytics,

as well as automated policy formulation for customers who are
micro-segmenting their applications.
Dynamic grouping in NSX effectively ties the life cycle of a secu-

rity policy directly to the life cycle of an application. Workloads
are tagged to identify the application they belong to, the envi-
ronment they’re deployed in, whether they have any compliance
requirements, and so on.
Based on these tags, workloads become members of security

groups, which apply appropriate policies. When an application
needs to scale up, those same tags are applied to new workloads
being deployed, and the policy automatically extends to these
workloads. Similarly, when an application is decommissioned,
the VM is removed, or the tags are removed, the policy in the data
plane automatically adjusts to reflect this new reality without any
manual changes to the rule set.
TAKING A CLOSER LOOK AT

MICRO-SEGMENTATION
For a deep dive into the concept of micro-segmentation, download
a copy of Micro-segmentation For Dummies (Wiley) at www.vmware.
com/go/MicrosegmentationForDummies.com. This tightly
written book, sponsored by VMware, provides a close-up look at
the concepts, technologies, and benefits of micro-segmentation
with the VMware NSX family.
Rethinking the Network
Network virtualization is a transformative architecture that
makes it possible to create and run entire networks in parallel on
top of existing network hardware. This results in faster deploy-
ment of workloads, as well as greater agility and security in the
face of increasingly dynamic data centers, clouds, and edge nodes.
Although it leverages your existing network hardware, network

virtualization is a fundamentally new approach to networking.
A virtualized network should enable you to take an entire net-

work, complete with all its configurations and functions, and
duplicate it in software.
You should be able to create and run your virtualized network

in parallel on top of your existing network hardware. A virtual
network can be created, saved, deleted, and restored, just as you
would do with VMs, but in this case you’re doing it with the entire
network.
A virtualized network gives you the ability to:
»» Decouple the network from underlying hardware and apply

virtualization principles to network infrastructure.
»» Create a flexible pool of transport capacity that can be
allocated, used, and repurposed on-demand.
»» Deploy networks in software that are fully isolated from each
other, as well as from other changes in the data center.
»» Transfer, move, and replicate the network, just as you can do
with virtualized compute and storage resources.
»» Make consistent network functionality available anywhere in
your enterprise.
IN THIS CHAPTER
»» Explaining the key functions of a
virtualized network
»» Outlining the key features of a

virtualized network
»» Exploring the functional and economic

benefits of VMware NSX Data Center
Chapter 3
Transforming the
Network
I
n the previous chapters, we introduce network virtualization
and provide a quick overview. In this chapter, we dig deeper
into the technologies you need in order to bring the benefits of
virtualization to your network environment. We begin by intro-
ducing the concepts behind network virtualization and conclude
with details of VMware NSX Data Center, a multi-hypervisor,
multi-cloud network virtualization and security platform.
Understanding the Key Functionalities

of a Virtualized Network
A virtualized network includes both overlay networking and the
traditional functions you’re probably more familiar with, like
routing and load balancing. Traditional networking functions,
done in software, become closer to the application.
Overlay networks
Network virtualization uses overlay technologies, which sit above
the physical network hardware, enabling a logical network, as
shown in Figure 3-1.
CHAPTER 3 Transforming the Network 25
FIGURE 3-1: Logical networking via the use of overlays.
Network overlays make it possible to run networks entirely in

software, abstracted from the supporting physical network infra-
structure. In the case of the data center network, they create tun-
nels between endpoints within the virtual layer.
Packet flow from sender to receiver

Virtual networks use the underlying physical network as the
packet-forwarding backplane and bring nuanced networking
decisions closer to the application. When application endpoints —
for example, two virtual machines (VMs) — communicate, the
packet is encapsulated with the IP address of the destination vir-
tual endpoint. The physical network delivers the frame to the des-
tination host, which removes the outer header, and then the local
virtual switch instance delivers the frame to the destination.
Communication uses the underlying physical network as a simple

IP backplane — without the complexity of Spanning Tree Proto-
col (STP) or access control lists (ACLs), because these things now
can be done closer to the application by the network virtualiza-
tion platform. This approach dramatically simplifies configura-
tion management and eliminates physical network changes from.
Overlay technologies
There are various overlay technologies. One industry-standard
technology is called virtual extensible local area network (VXLAN).
VXLAN provides a framework for overlaying virtualized layer 2
networks over layer 3 networks, defining both an encapsula-
tion mechanism and a control plane. Another is generic network
virtualization encapsulation (GENEVE), which takes the same
concepts but makes them more extensible by being flexible to
multiple control-plane mechanisms.
There are also other overlay technologies, too, including net-
work virtualization using generic routing encapsulation (NVGRE).
NVGRE has had limited adoption in comparison to the momentum
of GENEVE and VXLAN.
Comparing GENEVE and VXLAN

This section fills you in on GENEVE and VXLAN — how they’re
similar and how they’re different.
Encapsulation
GENEVE and VXLAN both encapsulate the original Ethernet frames
generated by workloads (virtual or physical) connected to the same
layer 2 segment, usually named a logical segment. They’re also
both layer 2 over layer 3 encapsulation technologies. The Ethernet
frame generated by a workload is encapsulated with an external
header, followed by the User Datagram Protocol (UDP), IP, and
Ethernet headers, and transported across the network intercon-
necting the GENEVE or VXLAN endpoints (typically, the applica-
tion endpoint, such as a VM or container pod).
Scaling
Extending beyond the 4,096 virtual local area network (VLAN)
limitation on traditional switches is achieved using a 24-bit iden-
tifier, named a virtual network identifier (VNI) in GENEVE, or a
VXLAN network identifier in VXLAN, which is associated with each
layer 2 segment created in the logical space. This value is carried
inside the overlay header and is normally associated with an IP
subnet, similar to what traditionally happens with VLANs. Intra-
IP subnet communication happens between devices connected to
the same virtual network (logical segment).
Traversing the network

Hashing of the layer 2, layer 3, and layer 4 headers present in
the original Ethernet frame is performed to derive the source port
value for the external UDP header. This is important to ensure
load balancing of overlay traffic across equal-cost paths poten-
tially available inside the transport network infrastructure.
Terminating the tunnels

The source and destination IP addresses used in the external IP
header uniquely identify the hosts originating and terminating
the overlay. This functionality lies within the tunnel endpoint in
GENEVE or VXLAN Tunnel EndPoint (VTEP) in VXLAN.
Frame size
Encapsulating the original Ethernet frame into a UDP packet
increases the size of the IP packet. This results in one of very few
requirements for the physical network infrastructure: increasing
the maximum transmission unit (MTU) size to a minimum of
1,700 bytes. The MTU for the virtual switch uplinks of the tun-
nel endpoints performing the GENEVE or VXLAN encapsulation
is automatically increased when preparing the tunnel endpoint.
Figure 3-2 describes the steps required to establish layer 2 com-

munications between application endpoints leveraging overlay
functionality — in this case, GENEVE:
1. VM1 originates a frame destined to VM2, which is on the

same layer 2 logical segment.
2. The source Tunnel Endpoint identifies the destination Tunnel
Endpoint where VM2 is connected and encapsulates the
frame before sending it to the transport network.
3. The transport network is only required to provide IP connec-
tivity between the source and destination Tunnel Endpoints.
4. The destination Tunnel Endpoint receives the GENEVE frame,
de-encapsulates it, and identifies the layer 2 segment.
5. The frame is delivered to VM2.
FIGURE 3-2: Establishing layer 2 communication between VMs with GENEVE.
NETWORK VIRTUALIZATION IN
ACTION
Here’s one of many potential examples of how network virtualization
makes life better for your security and network administrators.
Communication on a conventional network can be inefficient when
services such as firewalling are applied. Traffic must be routed out of
the virtual environment, passed through the physical firewall, and
then redirected back to the virtual environment. This process is often
referred to as hairpinning or tromboning. It adds complexity and
latency, lowering performance and increasing instability, and makes it
harder for application endpoints to move. By contrast, when network
services are integrated into a network virtualization layer, there’s no
hairpinning.
Understanding Virtual Network

Functions
Overlay networking is pretty powerful, but it’s only one piece of
the network virtualization story. Overlays enable you to make
networking decisions in software, in a virtual layer, abstracted
from the physical hardware. But then what? What do those deci-
sions look like? That’s where virtual network functions come in.
What functions? Well, how IP networking works isn’t necessarily

changing, so you still need a router in the virtual space. Because
you’re bringing networking closer to the application, it might
benefit from a new model for load balancing, too. These can be
centralized functions (think a single router) or distributed func-
tions (as has been done for years with virtual distributed switch-
ing). Finally, something that has really revolutionized security is
the virtual distributed firewall. We get into each of these func-
tions more as we go through architectures and use cases.
Virtual Network Functions is a key term in Network Function

Virtualization (NFV). This realm is focused on virtualizing the
network functions required by service provider networks and
mobile carriers. In fact, it’s very similar to how functions are
moving into software in the data center space, but it’s also still
distinct in many ways, so it’s worth clarifying that we’re not nec-
essarily talking about NFV here.
The Big Payoff

Network virtualization helps organizations achieve major
advances in speed, agility, and security by automating and sim-
plifying many of the processes that go into running a data center
network and managing networking and security in the cloud.
Here’s a quick checklist of some of the key benefits. Network

virtualization helps you
»» Reduce network provisioning time from weeks to minutes.

»» Achieve greater operational efficiency through automation.
»» Place and move workloads independent of physical
topology.
»» Improve network security within the data center.
Meeting the VMware NSX Data Center

First, a simple definition: VMware NSX is a family of network-
ing products from VMware that realize network virtualization
from the data center to the cloud to the edge. NSX Data Cen-
ter is the network virtualization and security platform for the
software-defined data center (SDDC). NSX Data Center reproduces
the entire network model in software. This end-to-end model
enables any network topology — from simple to complex — to be
created and provisioned in seconds. It delivers all the goodness of
network virtualization that we’ve covered so far, and more.
In addition to increasing agility, NSX Data Center enhances

security inside the data center via automated fine-grain policies
that wrap security controls around each application endpoint.
This is a completely new approach. It enables an intrinsically
secure network, preventing attacks that move laterally within
the data center, jumping from workload to workload with
little or no controls to block propagation. With NSX, workloads
can be isolated from each other, as though each were on its own
network.
In this section, we pop the latch and give you a look under the
hood of VMware NSX Data Center.
NSX Data Center architecture

The NSX approach to network virtualization allows you to treat
your physical network as a pool of transport capacity that can be
consumed and repurposed on-demand. Virtual networks are cre-
ated, provisioned, and managed in software, using your physical
network as a simple packet-forwarding backplane.
Virtualized network services are distributed to each endpoint

independently of the underlying network hardware or topology.
Workloads can be added or moved on the fly and all the network
and security services attached to the app move with it. Existing
applications operate unmodified because they see no difference
between a virtual and physical network connection.
Integration with existing network

infrastructure
NSX Data Center works with your existing compute and network-
ing infrastructure, applications, and security products. You can
deploy it nondisruptively on top of your current infrastructure.
Better still, NSX Data Center is not an all-or-nothing approach.

You don’t have to virtualize your entire network. You can virtual-
ize portions of your network by simply adding hypervisors, bare-
metal hosts, or clouds to the NSX platform.
Simplified networking
After NSX Data Center is deployed, little interaction with the
physical network is required. VLANs, ACLs, spanning trees, com-
plex firewall rules, convoluted hairpinning traffic patterns —
these are no longer necessary.
As you deploy NSX, you can streamline your physical network

configuration and design. Vendor lock-in becomes a thing of
the past with the physical network only delivering reliable high-
speed packet forwarding. You can mix and match hardware from
different product lines and vendors.
Broader networking and security
capabilities
NSX Data Center is extremely flexible and highly extensible. A
powerful traffic-steering capability referred to as Network Intro-
spection allows any combination of network and security services
to be chained together in any order.
Through Network Introspection, NSX provides deep integration

with partners, providing the following benefits:
»» Granular service insertion: Interception of traffic at every

virtual network interface card (vNIC) or logical router uplink
and flexible redirection rules
»» Simplified provisioning: Automated deployment and
plumbing of partner services, multiple deployment models,
failure detection, load distribution, and failure detection
»» Ubiquitous application-based policies: Sharing of NSX
groups with partner managers, enabling a consistent
application-centric partner policy with dynamically updated
groups across virtual and physical appliances
»» Flexible and scalable service chain: Chaining of multiple
partner services in any combination across security and
visibility, and the ability to scale up services
Both north–south and east–west Network Introspection are sup-

ported. Although north–south introspection enables the inter-
ception of the traffic at the uplink of a T0/T1 logical router,
east–west introspection applies classification and interception of
traffic right at the vNIC of every workload, providing the same
granularity as the native distributed firewall.
This degree of flexibility applies not only to native NSX services

but also to a wide variety of compatible third-party solutions —
including next-generation firewalls and traffic aggregation or
network/security visibility and analytics solutions.
Exploring Key NSX Capabilities

In this section, we look at some of the key technical capabili-
ties of VMware NSX. Keep in mind: NSX virtualizes all network
functions. In addition, many that we cover, and many that we
don’t, are also available from the ecosystem of partners.
Everything in software
Here are some of the key features of VMware NSX:
»» Logical distributed switching: NSX allows you to reproduce

complete layer 2 and layer 3 switching in a virtual environment,
decoupled from underlying hardware.
»» NSX gateway: This layer 2 gateway enables seamless
connection to physical workloads and legacy VLANs.
»» Logical routing: Routing between logical switches provides
dynamic routing within different virtual networks.
»» Service-defined Firewall: The VMware Service-defined
Firewall is a distributed, scale-out internal firewall that
protects all east–west traffic with security intrinsic to the
infrastructure, radically simplifying the deployment model.
»» Distributed IDS/IPS: NSX provides a software-based IDS/IPS
solution that enables you to achieve regulatory compliance,
create virtual zones, and detect lateral movement of threats
on east–west traffic.
»» Logical load balancer: NSX provides a full-featured
advanced load balancer that delivers multi-cloud load
balancing, application security, and scalable container
ingress and analytics.
»» Logical virtual private network (VPN): NSX Data Center
supports site-to-site and remote access VPNs in software.
»» NSX application programming interface (API): RESTful API
enables integration with cloud management platform.
»» Integration with cloud management platforms:
Integration is enabled with fully baked automation through
platforms like OpenStack or VMware vRealize Automation.
»» Service insertion: NSX enables you to plug in functions from
third-party services, not only as a northbound API call, but as
a chained service for each packet flow.
»» Federation, multi-site, multi-cloud networking and
security: You can extend these concepts outside a single
data center domain to multiple sites and clouds.
»» NSX Intelligence: The distributed analytics engine leverages
granular workload and network context unique to NSX to
deliver converged security policy management, analytics,
and compliance with data-center-wide visibility.
Essential isolation, segmentation, and

advanced security services
Every year, businesses spend billions of dollars to secure the
perimeters of their data centers. And guess what? Breaches con-
tinue to mount. Though perimeter protection is an essential part
of a security strategy, it doesn’t do everything you need. You need
a new model for data center security.
NSX Data Center brings security inside the data center with auto-
mated fine-grain policies tied to application endpoints. Network
security policies are enforced by firewalling controls integrated
into the virtual layer. The hypervisor serves as an ideal place
to enforce such policies — it’s close to, yet isolated from, the
application. Security policies and firewall state move when VMs
move and adapt dynamically to changes in your data center, such
as applications that are scaling up or being decommissioned. With
NSX dynamic security groups, the life cycle of a security policy is
tied directly to the life cycle of the application.
Virtual networks can operate in their own address spaces or have

overlapping or duplicate address spaces. They are inherently iso-
lated from all other virtual networks and the underlying physical
network. Malicious software that slips through your firewall is no
longer free to jump from server to server.
An internal firewall must be able to support
»» Distributed and granular enforcement of security policies

»» Scalability and throughput to handle large volumes of traffic
»» A low impact on network and server infrastructure
»» Intra-application visibility
»» Workload mobility and automatic policy management
Performance and scale

NSX Data Center delivers proven performance and scale. Because
networking functions are embedded in the virtual layer, NSX
features a scale-out architecture that enables seamless scaling of
additional capacity with solid availability and reliability.
Here’s an example of the extreme scalability: In a real-world NSX

deployment, a single cluster of controllers delivered more than
10,000 virtual networks, supporting more than 100,000 VMs. This
isn’t required for most networks, but many networks do have
scalability limitations.
In the NSX Data Center environment:
»» The processing required for distributed network services is

incremental to what the vSwitch is already doing for
connected workloads.
»» The vSwitch is integrated with the hypervisor kernel, along
with all the NSX network and security services.
»» Virtual network transport capacity scales linearly (alongside
application endpoint or VM capacity) with the introduction of
each new hypervisor/host.
Unparalleled network visibility

NSX takes visibility into the network to an all-new level. With con-
ventional approaches to networking, configuration and forwarding
state are spread across disparate network devices. This fragmen-
tation can cloud your view and complicate troubleshooting.
By contrast, NSX provides all configuration and state information

in one place. Connectivity status and logs for all NSX components
and virtual network elements (logical switches, routers, and the
like) are readily accessible, as is the mapping between virtual net-
work topologies and the underlying physical network. This single
pane of glass view of the network is further enhanced with group
and traffic flow visualization in NSX Intelligence, which simpli-
fies security policy formulation across the data center.
Better yet, with NSX, you have access to advanced troubleshoot-

ing tools like Traceflow. This function injects a synthetic packet
into a virtual switch port, providing network path visibility as it
traverses physical and logical network systems. You can identify
the full path a packet takes and troubleshoot any points along the
way where the packet is dropped.
This level of visibility isn’t possible if you’re running traditional
physical networking hardware, and it definitely wouldn’t be pos-
sible with physical networking in situations where two VMs are
communicating on the same host.
Identifying the Key Benefits of

VMware NSX Data Center
Now we’re getting to the really good stuff. This section looks at
some of the ways your organization can cash in on the capabilities
of network virtualization with VMware NSX. We break the story
into two groups: functional benefits and economic benefits.
Functional benefits
The functional benefits of NSX Data Center revolve around four
pillars of the SDDC: speed, agility, security, and reliability. Here’s
how these benefits are delivered:
»» Creating entire networks in software in seconds: NSX

Data Center arms you with a library of logical networking
elements and services, such as logical switches, routers,
firewalls, load balancers, VPN, and security, that you can use
to create isolated virtual network topologies in seconds.
»» Minimizing the risk and impact of data breaches: You can
use NSX to isolate workloads, each with its own security
policies. This capability helps you contain threats and block
the movement of malicious software within your data center.
»» Supporting modern applications with a converged
platform: Modern applications use a variety of compute
(VMs, containers, and bare-metal). With full-stack layer 2 to
layer 7 network virtualization, NSX helps you eliminate
network silos, achieve consistent policy that adapts with the
changing application landscape, and simplify operations.
»» Speeding up IT service delivery and time to market: You can
reduce the time required to provision multitier networking and
security services from weeks to minutes. Some enterprises use
NSX to give application teams full self-service provisioning
capabilities. Automation and orchestration capabilities in NSX
help you avoid manual configuration errors.
»» Simplifying network traffic flows: You can use NSX to
lessen the load of server-to-server traffic VMs communicate
with one another through the vSwitch or aggregation fabric.
This cuts down on east–west traffic hops and helps you
avoid convoluted traffic patterns and the costs of building up
core capacity with more hardware.
»» Enhancing service availability: Cloud-scale data centers
have few outages because they have flatter fabrics with
equal-cost multipath routing between any points on the
network. Simplified leaf-spine fabrics make individual links or
devices inconsequential. The network can withstand multiple
simultaneous device failures with no outage.
Economic benefits
The economic benefits of network virtualization with NSX emerge
across both capital and operational expenditures:
»» Reducing the risk of costly breaches: Deploying firewalls

and advanced threat protection solutions to control an
increasing volume of east–west traffic inside the data center
is cost-prohibitive. The sheer number of devices needed and
the effort required to manage complex firewall rules have
made this approach operationally not feasible. Micro-
segmentation and advanced threat protection capabilities
that come with network virtualization make this doable and
affordable. You reduce the risk of cross-data-center security
breaches while avoiding capital expenditures on hardware
and software.
»» Reducing time and effort: Network virtualization greatly
reduces the effort and time it takes to complete network
tasks. NSX reduces the effort from hours to minutes, and the
cycle times from days to minutes. If you consider all the
manual tasks — across development, testing, staging, and
production environments — and the fact that NSX auto-
mates these, you begin to see lots of opportunities to reduce
operational costs.
»» Improving server asset utilization: In traditional topolo-
gies, each network cluster has its own compute capacity. IT
administrators often overprovision compute to avoid the
network reconfiguration required to reach available capacity
in another cluster. You can instead use NSX to bridge
network clusters and deploy workloads to the unused
capacity. By making better use of existing server capacity,
you avoid the need to buy new servers.
»» Improving cost and performance savings: Many enter-
prises use NSX and network virtualization to replace
expensive proprietary hardware with lower-cost multi-
vendor infrastructure.
»» Extending the hardware life cycle: You can use NSX to pull
more value from your existing network infrastructure. NSX
Data Center offloads east–west traffic from the network
core, allowing you to extend hardware lifespan. Similarly,
protecting east–west traffic in a data center with the NSX
distributed firewall greatly reduces the burden on physical
firewalls. Instead of refreshing your networking and security
gear at the end of the accounting depreciation cycle, you can
use it for longer periods. You touch the hardware only to
add more capacity or to replace failed devices.
IN THIS CHAPTER
»» Reevaluating security
»» Understanding multi-cloud networking
»» Networking for containers
»» Automating across the network stack
Chapter 4
Exploring Network
Virtualization Use Cases
N
etwork virtualization improves on the status quo across a
number of different use cases. In this chapter, we walk
through those categories, giving examples of how people
are putting network virtualization into action.
As we note in Chapter 3, virtualization with NSX is not an all-

or-nothing approach. You don’t have to virtualize your entire
network. You can virtualize portions of your network for targeted
use cases and then expand your use of virtualization over time.
And here’s a cool fact: Enterprises can often justify the cost of
NSX with a single use case while establishing a strategic platform
that drives additional use cases and projects over time.
In the following sections, we drill down into some common use

cases to show how network virtualization speeds up processes,
strengthens security, and keeps your applications up and running.
CHAPTER 4 Exploring Network Virtualization Use Cases 39
Another random document with
no related content on Scribd:
completed in two hours and a quarter. We were surprised to find that
after eight or ten miles all signs of destruction ceased. The first
villages were in ruins, like Messina; and in the fields soldiers were
digging great rows of trenches, in which they deposited lime:
obviously the sea was no longer to receive all the dead. But soon we
came upon towns with only a few fallen houses; before long a
mutilated roof was a curiosity; and fifteen miles from Messina the
country presented a completely normal appearance. We did not
realize then that those villages between Messina and Taormina were
in greater distress than any district, probably, in the whole of Sicily or
Calabria. Thousands, perhaps tens of thousands, of refugees from
the city fled on foot to these little towns, imploring charity. The
inhabitants received them with true hospitality and gave them of their
best. But as the days and weeks passed the supply of food ran
short. Nothing arrived by rail; the trains were filled with cargoes for
Messina or else for Taormina or Catania; charity passed the little
places by. It was a month after the earthquake that two American
gentlemen from Taormina, Messrs. Wood and Bowdoin, discovered
and reported the incredible distress of this starving rural population.
And now another American, Mr. Billings, of Boston, is devoting
himself to the relief of this district and is spending there the principal
part of the generous offerings of Massachusetts.
TAORMINA.
Taormina was full of rumors. For a week the only news had been
supplied by wounded refugees, distraught with fear and misery; in
their description the earthquake had become almost a supernatural
event. Strange lights had blazed in the sky; a comet had struck the
earth and raised the waters of the deep. Luckily the wires to Catania
and Syracuse, and from Catania to Palermo, were open. By
telegraphing to all of these cities and by searching the hotel registers
of Taormina, we were able to find nearly all the names on our lists.
There were many Americans still in Taormina and many English. All
of them were working together, distributing relief and caring for the
sick. A hundred and fifty refugees were in the hospital of Taormina
and three hundred and eighty in the little fishing village of Giardini at
the foot of the cliff. Our countrymen were working night and day to
help them, giving them food and clothing; and instead of complaining
of the heavy burden of so many patients, they begged us to send
more. One or two of them met every train from Messina, to distribute
bread to the hungry passengers. The ladies devoted themselves
chiefly to the hospitals, where they worked with unremitting energy.
BACK TO MESSINA.
Our brief glance at the efficient relief of Taormina made the
conditions at Messina, upon our return, seem even more desperate
than before. Here the problem was vastly complicated by the
dispersion of the population and the lack of any registers of
inhabitants. The scarcity of houses had driven the population to take
refuge, so far as possible, in the hill villages surrounding the town.
Here most of the families were installed, not only the able-bodied,
but the sick and wounded as well. One of each family would spend
the days in Messina, trying to procure enough food to keep his
relatives alive. The complete lack of transport animals and the
absorption of the soldiers in the work of rescue, made relief
expeditions to the villages impossible. For food distributions in
Messina the rule had been adopted; one man, one loaf. The
absence of registers made it possible for a strong man to push
repeatedly to the head of the line, and to get bread at all the
distributing places in succession. The result was a more or less
disorderly rush for bread at all the distributing points, and the
exclusion of all but the strongest, while many worthy families
suffered from hunger in the midst of comparative plenty.
On the evening of our first arrival at Messina, I had a chance to
talk to Senator Duranti, the chief of a hospital expedition sent by the
order of the Cross of Malta. I asked him what articles of food,
clothing and medical supplies were most needed, and how the
American money accumulating in Rome could be spent with most
profit to Messina. He told me that medical stores of all kinds were
sadly wanted, and that there was still a lack of food, bread,
macaroni, olive oil, butter, and especially milk—for the women and
children—and also underclothes and shirts. The milk should be
sterilized, not condensed, because the ignorant peasant women
could not be induced to give their children an unaccustomed food,
especially if it had to be prepared or mixed. Acting upon Senator
Duranti’s advice, we telegraphed that night to the Ambassador in
Rome for the enumerated supplies. The U. S. despatch boat
Scorpion, which had just arrived from Constantinople, was starting
for Naples to coal. Her commander, Captain Logan, kindly took our
dispatches to the Ambassador, and brought back the supplies, which
we received on the 6th. At the same time we learned that an
American relief ship was being stocked in Rome, and would soon
arrive with huge stores of food and clothing, and that the U. S. S.
Culgoa was due on the 8th from Port Said with immense supplies of
all kinds.
The arrival of our first stores—which luckily far exceeded our
requests—brought us face to face with the problem of direct
distribution. Messina was already more orderly. On the 6th or 7th the
Marina was first lighted by electricity—a fortunate occurrence, since
most of the foreign warships on whose search lights we had been
dependent, had now departed. To these ships Messina and Italy had
good reason to be grateful.
BRITISH AND RUSSIAN SAILORS’ AID.

I do not know what words could adequately convey the extent of
service rendered by all the fleets, but especially the British and
Russian. As transports, store ships, refugees’ hospitals, telegraph
stations they had been invaluable: but it was as rescuers of the living
that they were pre-eminent. The Russian sailor was a revelation to
those who did not know the quiet common sense, the tactful
sympathy and the unassuming heroism of the moujik. The Russians
were the only people who always had everything on the spot. The
saying got about that they had ordered the earthquake and fitted out
a fleet beforehand for the purpose of relief. As to the British
bluejackets, they had not a reputation to make. They did exactly
what was expected of them; and in the expected way; that is with
energy and courage, with easy practical mastery of every kind of
work, and with complete unconsciousness of anything unusual or
particularly meritorious in their performance. And the English nation
and press, instinctively realizing that silence may be a higher tribute
than praise, has accepted the fleet’s work at its own valuation; as a
task performed in the ordinary way of duty, and performed well, as
became British sailors.
About the same time or a little later, the water supply was
connected with a portion of the town. Lack of water had been one of
our chief discomforts. It could be procured at one place only, two
miles from the consulate; with great difficulty we had obtained a
pailful each day for our party. The streets had become filthy beyond
description: now it was possible to flood them. A train to Palermo
crawled out of Messina from time to time. The dead were being
removed from the streets, and many of them were buried instead of
being taken out to sea. On the fires in front of the tarpaulin houses
stood pots of macaroni cooking. The hospital ships which departed
for Naples, Genoa or Catania were no longer crowded to over-
flowing. The people actually living in Messina were comparatively
comfortable. But every improvement in organization brought out
more clearly the needs which confusion had obscured. Inside the city
and out, no one had any clothes except what he had been able to
snatch from his house on the morning of the 28th; and not two miles
from the Municipio, in all directions, ran the hunger line—beyond
which lay the region of actual famine.
It must be remembered that Messina was in a state of siege. That
means that it was controlled in every department by a single central
military authority. The state of siege was necessary in order to
maintain order and health; but it entailed inevitable disadvantages in
connection with relief work. Effective relief should be decentralized; it
should operate through innumerable agents invested with
responsibility and discretionary power, who seek out the individual
and have the means to assist him. Government by martial law
means that nothing can be done or given except by permission of
the military chief, and an order for stores cannot be obtained in a
minute. This was why the hospitals, the Red Cross stations and relief
agencies of all kinds were so frequently short of supplies.
Requisitions of particular articles which had run out, such as brandy
or antiseptics or milk, required too great an expense of time; the
workers were everywhere fewer than the needs: they could not be
spared. From our own experience in sending telegrams or procuring
permits we learned to appreciate the inevitable disabilities of a
system of complete centralization in dealing with a situation of such
chaotic complexity.
What part we could take as independent distributors was not
evident. Under the circumstances we decided to divide our supplies
into three parts. The first, consisting of medical stores, milk, butter,
oil, chocolate and underclothes, was given to the central medical
officials, for use in the hospitals. The second, of a similar nature, we
took to Reggio and San Giovanni, for distribution to the hospitals
there. The medical authorities of each place selected from our lists
the articles of which they were in need. The remainder of the stores
we took to the consulate and distributed ourselves.
The Quay Where Corpses Were Laid Out, Awaiting Burial at Sea.
In picking out individuals to assist, we paid special attention to

residents of our own district, with whom we were beginning to
become acquainted, to persons known to Mr. Heynes, and to such
inhabitants of Messina as had some connection with America. We
were constantly asked by Messinesi to send telegrams to their
relatives in the United States, and if possible to help them rejoin
those relatives. But as our immigration laws forbid the importation of
the destitute, we had to tell the applicants that we could send their
telegrams, but that we could not provide passage to America.
The consulate soon became a busy place. Two soldiers stood at
the door to keep the line of applicants in order; inside, one of us
investigated the applicants, and registered the facts of each case in
a book, another took the written orders and brought back the stores,
which were handed out by a third. It is perhaps superfluous to add
that in cases of actual hunger no investigation was attempted. The
help of Mr. and Mrs. Heynes was invaluable throughout. It enabled
us to send stores to families at a distance, who had not heard of our
consulate or were unable to come. Other pitiable cases were brought
to our attention by the American and English newspaper
correspondents, and by Mr. Frank A. Perret, the seismic expert well
known for his heroism at the time of the eruption of Vesuvius in
1906.
Meanwhile the United States Warships Yankton and Culgoa, the
latter loaded with stores, had joined the Scorpion in the harbor. The
sailors were detailed to help us clean the house and garden and put
up a number of tents for a hospital. Colonel Radcliffe, the British
Military Attachè, to whose clear-headed determination is due the
chief credit for the admirable organization of British relief work, aided
us in countless ways. He was occupied at that time in searching for
the body of Mrs. Ogston, wife, of the British Consul. When the
remains were found, it was a party of American sailers from the
Connecticut that formed the funeral escort.
ARRIVAL OF THE “BAYERN.”

Then, on the evening of the 8th, arrived the American Red Cross
Relief Ship Bayern, with the American Ambassador aboard and the
American Naval Attachè, Captain Belknap, in command. I am still
amazed at the intuitive grasp of the situation displayed by the
organizers of the expedition. From inception to completion, in every
detail of planning and execution, the cruise of the Bayern was
emphatically a success.
Messina was not the place, however, where the Bayern was
needed. A day ashore convinced the Ambassador and the
committee that large distributions of food and clothing were not
advisable at the present time. Supplies and a sum of money were
given to the Archbishop of Messina, for his hospital; the stock at the
consulate was replenished; a trip was made to the Calabrian coast,
where the military authorities were given what stores they requested;
then, early on the morning of the 11th, the Bayern sailed for Catania.
CATANIA.
We went ashore, wondering whether we were needed. An hour
later we wondered whether it was worth our while to think of going
anywhere else. The situation at that time was simply appalling: it is
appalling today, five weeks after our visit. Catania and every house
in Catania had been swamped with refugees. Three thousand of
them lay in the five hospitals; two thousand in the three main refuges
—converted barracks or convents; and twenty thousand were
scattered over the city. One lady whom we met had sixty in her own
house; another, thirty: another, seventeen. The Prefect was spending
20,000 lire daily, a sum barely sufficient to supply bread rations and
to keep the hospitals running, but quite insufficient to provide sheets
or clothing for the patients. Even the hospitals were short of
mattresses; in the refuges the inmates slept on heaps of straw. The
little towns in the country districts were as full of refugees as Catania
and in still greater distress; at Catania there was at least bread. Red
Cross branches, municipal committees of men and women, were
working valiantly, but they were struggling with absolute penury—a
complete lack of funds. The money received by the Prefect from the
Government appeared to be the only cash from the outside which
had yet arrived at Catania. It was still only a fortnight since the
earthquake. Apparently no one in Italy had yet realized that money
was needed immediately in places like Catania. Food and clothing
were sent, for instance, but at Catania the food and clothing shops
were well stocked. The Bayern after giving away nearly its whole
supply of clothes renewed the supply by purchases at Catania for
distribution at Reggio. Obviously it would have been more
economical to have given the Catanians money to buy the clothes of
which they were in want than to send the clothes from Italy. The work
of making up the clothes could have been given to the refugees
themselves, had there been money to pay them. It is true that at
Catania, as elsewhere, we found a general conviction that nothing
would make the refugees work. The women, it was said, had their
children to look after; the men could think of nothing but returning to
Messina to recover their property and the remains of their relatives.
All were plunged in a state of morbid apathy which made work out of
the question. This view, however plausible under the circumstances,
has been completely disproved; wherever the refugees have been
given work to do under proper supervision, they have worked. But at
Catania the point was not worth arguing. There was no money to buy
stuffs and sewing machines, or to pay wages; no rooms which could
be used as workshops. A movement might have been organized to
employ fifty or a hundred women, perhaps; but with 25,000 refugees
to keep from starvation and crime the city could not spare any of its
workers to organize an employment agency which, at the best,
would benefit only a few persons. Nothing but large sums of ready
money could have helped the situation; and ready money was not
yet forthcoming. The Bayern had brought a certain amount of money
to distribute; and I had funds of the American Red Cross. With what
we had we were able to give sums of cash to the committees, the
hospitals, the refuges and other charities.
The hospitals of Catania alone took almost all the clothes,
blankets and medical stores we had to give. Yet the hospitals were in
an enviable situation compared to the refuges. Here the inmates
were in a worse plight than when they had escaped, half-naked from
the ruins of Messina. A blanket, a heap of straw, and a daily bread
ration, was about all the average inmate had received since his
arrival. Few of them had changed their clothes or brushed their hair
once: all were living in a state of filth, which extended to their
persons and their habitations and which was a menace to the health
of the town. Let no one think that their plight was the result of
neglect. The Catanians showed no neglect or inefficiency. They
worked hard and they worked with intelligence, but they had no
money.
A curious and by no means reassuring feature of the refuges was
the willingness of their inmates to stay where they were, or rather
their unwillingness to move. I noticed the same fact at Palermo,
where the condition of the refugees was similar, though perhaps less
distressing. The inertia induced originally by the complex action of
physical and moral shocks on an oriental fatalistic temperament
increased rapidly, alarmingly, under the influence of a life without
interest, occupation, pleasure or duty. Dependent squalor soon
became pleasant, and any return to independence uninviting. The
hope of getting a cigar from some visitor was enough to fill the day
satisfactorily. Dirt, we know, soon became endurable; as a
philosopher once said, “Every man is clean enough for himself.”
What had happened already at the time of our visit was that the
inmates of the refuges had begun to regard their present life as
permanent, and had abandoned even the desire to change it; they
had been turned into paupers. Three-quarters of them spent the
days in aimless loafing and chatter; the other quarter lay gloomily on
the straw, thinking of the dead. Unless these people could be
awakened, unless someone should compel them soon to work and
to be clean, there were signs that they would become a permanent
burden; and, what is more, a permanent menace to the population.
Criminals are easily made in Sicily and when they are made they
have no difficulty in finding occupation.
Italian Soldiers Disinterring a Corpse in the Ruins of
the Old Consulate.
Bearing Corpses Down the Corso Principe Amedeo.
The problem of the refuges, then, was less to make them more
comfortable than to abolish them as soon as possible and in the
meantime to compel cleanliness and induce work among the
inmates. But there was a scarcely less difficult and more elusive
problem connected with the thousands of refugees scattered about
the town in private houses, living in the garrets and stables. Many of
them were skilled laborers of various kinds; not a few belonged to
families of merchants or professional men and to the well-to-do
classes. Their destitution was as complete, of course, as that of the
rest, and the relief awarded to them was the same—a daily loaf of
bread. Some of them were rich, if they could only find their
evidences of wealth. To enable them to do this, and to support them
meanwhile, the Catania business men had formed an association to
which we were glad to be able to make a small contribution.
The general impression created by our visit to Catania was that of
a problem too vast, too complicated, too closely connected with the
habits and temperament of the people for any outsider to solve. To
“rehabilitate” these thousands of peasants, artisans, professional
men, merchants, landed proprietors, would require a carefully
matured plan, which must proceed from the central authorities. But
meanwhile, until the plan should be matured, there was ample scope
for beneficent foreign intervention, and the most useful way to
intervene was also the simplest—by direct money gifts, not indeed to
individual refugees, but to the local relief bodies already organized
by Italians. It was not necessary or even advisable to make large
donations to the central authorities of each place. The system was
already rather too much centralized than too little, as the authorities
were the first to recognize. Far from being jealous of direct donations
to the subordinate or independent institutions, they welcomed
anyone who would investigate the various needs, and give help
when help was most wanted. It appeared to us that the best way to
dispose of American money was to entrust it to an agent on the spot,
who should travel up and down the coasts of Sicily and encourage
every well-directed movement by immediate money gifts. In time
such movements would no doubt receive help from Rome; but in the
meantime ready cash from unofficial sources might make the
difference between success and failure.
SYRACUSE.
The Bayern spent three days at Catania. During that time I made a
trip of investigation to Syracuse. Here the refugees numbered only
3,000—one-eighth of the number at Catania; but 900 of these were
hospital patients. Syracuse, too, has only one-seventh of Catania’s
population. Its hospital accommodations at the time of the
earthquake were for one hundred patients. If Syracuse had
succeeded better than any other place in mastering the difficulties of
the situation it was not because the difficulties were insignificant.
Syracuse was fortunate in a Prefect and a Mayor of resource and
capacity; in an unusually efficient body of volunteer workers, with
one woman of great ability at their head; and in the fact that the
importance of the work, as a moral and mental tonic for the refugees,
was realized from the very beginning. Syracuse was the first place
where refugees were set to work. The credit for this is due to an
American, Miss Katherine Bennett Davis, head of the New York
State Reformatory for Women.
When Miss Davis first thought of employing refugee women to
make clothes for the hospitals, relief work at Syracuse was just
emerging from a state of chaos. Four hospitals had been equipped
after a fashion for the reception of patients. The Municipal hospital
was already in good running order, through the efforts of Signor
Broggi-Reale, head of the local Red Cross; the Archbishop’s palace
was being rapidly transformed into a second hospital by a number of
ladies; at the big barracks conditions were more primitive until the
arrival of a splendidly equipped expedition of the German Red
Cross. Most of the hospitals were short of blankets; all needed
sheets, and all were entirely unsupplied with clothes for the patients.
Of the two thousand able-bodied refugees, eight hundred were
maintained aboard the steamship Nord Amerika; the rest were
scattered about the town. A woman’s branch of the Red Cross was
being organized by the Marchesa di Rudini, whose activity covered
every branch of the work of relief and extended beyond the confines
of Syracuse, to all the towns of the province. Her position as wife of
one of the largest landowners of the province and daughter-in-law of
Italy’s lamented premier; her independence of any particular
organization; her skill and tact in uniting individuals and parties made
her the most influential person in Syracuse. To her is due more than
to anyone else the excellent organization of the Syracuse relief work.
Miss Davis was in Sicily in order to rest. The funds at her disposal
amounted to six hundred lire only. But she saw an opportunity to
help in the moral regeneration of the refugees and at the same time
to supply one of the most pressing needs of the city. She went to the
mayor and offered to employ refugee women in making clothes for
the hospitals. Like everyone else, the Mayor had been told that the
refugees would not work; but unlike everyone else, he decided to
make the experiment. He gave Miss Davis two of his own rooms in
the Municipio, supplied her with sewing machines, and promised to
furnish all the necessary materials. She opened her shop on January
8th and soon had fifty women at work.
Miss Davis was not alone in her labors. Besides the support of the
officials and of Madame di Rudini, she had the direct assistance,
from the first, of Mrs. Musson, wife of the British clergyman, and later
of Mrs. Sisco, of Florida. When gifts of money from the American
Red Cross and from the Committee of the Bayern enabled Miss
Davis to found a second workshop at Santa Lucia, the quarter of
Syracuse situated on the mainland, Mrs. Musson became its
manager. To supplement her own scanty knowledge of Italian, Miss
Davis employed as interpreter and paymaster an English resident of
Messina, Miss Smith, who had escaped from the earthquake without
any of her belongings beyond what she could carry. The Syracusan
ladies took an active interest in the workshops; two of them, the
Baronesses del Bosco, whose principal work was in the hospitals,
found time nevertheless to give much of their attention to Miss Davis’
work, and assisted her particularly in the cutting-out department.
The workshops were a success from the beginning. Under Miss
Davis’ unceasing supervision the women showed no tendency to
idleness. A piece wage which would have put the unskillful and the
beginners at a disadvantage was not found necessary; the women
were paid by the day, one lira and a lunch of bread, cheese and
wine. The question naturally suggested itself, could not the men also
be induced to work? And could not their work be made to contribute,
like that of the women, to supply their own wants?
Refugee Camp in the Piazza Vittoria.
Miss Davis had now the money to carry out her plans. But she had
to face a new difficulty—the jealousy of the local artisans, who
resented any influx of labor. Miss Davis began with the shoemakers
because shoes, next to underwear, were the articles of clothing most
needed by the refugees. She found a number of shoemakers among
the refugees. These she induced the local shoemakers to employ by
offering the following advantageous terms: The local man was to
supply the materials and tools and to receive the price of the
product, which Miss Davis promised to buy. She was also to pay
wages to the refugee worker. Thus the refugee was employed, the
local shoemaker profited and the stock of shoes was increased. At a
later date Miss Davis found employment for all the carpenters,
masons and painters among the refugees by paying them to
complete a large two-story building, of which only one story had
been built. When finished the building became an orphan asylum for
seventy-five refugee children. The money for this work was furnished
by Mr. Billings out of the Massachusetts funds.
So far only skilled laborers had been employed. But the persons
who most needed work, those who deteriorated most rapidly when
idle, were the common unskilled laborers belonging to the lowest
classes. Even in their normal condition nothing but hunger would
induce these people to work; now they were fed and were in a state
of moral inertia. Miss Davis’ proposal to the Mayor to employ a
squad of sixty day laborers in improving the roads seemed almost
certain to fail. The Mayor, however, decided to make the attempt; he
was to supply tools, materials and supervision; Miss Davis was to
pay the wages. Once more the unexpected happened; the men
worked moderately well at first, then better every day. In a short time
all traces of idleness and discontent had disappeared.
From the point of view of actual achievement and also of example
Miss Davis’ feat at Syracuse seems to me the most important single
contribution to the problem of rehabilitating the sufferers from the
Messina earthquake. Her efforts were not limited, however, to giving
employment. With funds allotted by the Bayern Committee she
opened a pension or home for forty-two refugees of the better class,
giving preference to convalescents from the hospitals. Here for the
first time the refugees found soap, brushes, combs, clean clothes, all
the articles of first necessity of which they had been deprived since
the earthquake. The home was so successful that the Marchesa di
Rudini devoted most of the American money which had been given
her, to spend at her discretion, to founding two similar institutions at
Nolo and Avola, small towns of the province of Syracuse. These
homes the Prefect of Syracuse promised to support out of
Government funds when the original donations should be spent. In
Miss Davis’ home at Syracuse the moral health of the inmates was
never forgotten. Before the home had been opened a fortnight the
women among the inmates were busy making clothes, voluntarily
and without pay, for less fortunate refugees. Every scheme of Miss
Davis served a double end—practical utility and moral rehabilitation.
Upon my return to Catania I found the Bayern ready to start for
Reggio. During her stay she had not only dispensed relief to Catania
and the environs, but had also supplied the wants of the Taormina
and Giardini hospitals.
REGGIO.
Of our second visit to Reggio I need say little. It was the saddest
place of any, perhaps; nowhere else were the inhabitants plunged in
such a state of complete dejection. There were no adventurers or
imposters at Reggio: only the remains of families, sitting or standing
mournfully among the ruins of their own homes. There was no
danger in giving money to these people; their need was too obvious,
their distress too genuine. We distributed our cargo, gave what help
we could, paid a second visit to Messina and after two days
proceeded to Palermo.
PALERMO.
Conditions at Palermo were only less desperate than at Catania.
The refugees numbered about 11,000, of whom about 900 were in
the hospitals. Nearly all of the remainder were in refuges, very few
having been taken into private houses. All the barracks, the prison,
half the schools, several convents, several theaters, and even a
number of churches had been turned into refuges, of which the
largest held as many as a thousand inmates. The city is larger than
Catania, with more wealthy residents; it was therefore better off in
many respects. But it suffered, like Catania, from the want of money
from the outside, from the scarcity of intelligent workers, and from
the particular dangers connected with the refuges.
I have already described the refuge system. If work is necessary
for all the refugees, it is particularly necessary for those who live in
these large communities. At Palermo their idleness had already
turned to dangerous discontent. They complained constantly of their
treatment, but refused to leave the refuges. No work for them had
been organized when we arrived at Palermo. Enlightened by Miss
Davis’ example, we immediately offered money for the institution of
workshops on the same model as hers. The idea met with general
approval. A beginning was made at once in one of the barracks and
in the prison. Mr. Bishop, the American Consul, to whom we handed
over the money for the enterprise, labored energetically to broaden
the basis and extend the scope of the work. In a few days a ladies’
committee, of which the president was Mrs. Bishop and the vice-
president Countess Mazza, wife of the General in Command at
Messina, had founded workshops in five of the principal refuges, and
another refuge, the Caserna Garibaldi, was organized on the same
system by a parish priest, Father Trupiano, with the approval of the
Archbishop of Palermo. According to the latest reports the Palermo
workshops have been a success, like those of Syracuse. Some
concessions had to be made to the inferior moral condition of the
workers at the time when they were first employed. For instance,
they had to be paid by the piece instead of by the day. But they have
not proved idle on the whole, and such work as they have done has
contributed directly to a most important object—the increase of the
supply of clothing. Even if the Bayern committee had not been able
to distribute 1,200 mattresses and 15 tons of food at Palermo, or to
assist the municipal charities, their short visit of eight hours to the
city would have been amply justified by the foundation of these
workshops. With the cruise of the Bayern ended my direct
participation in the work of relief. I have only a second-hand
knowledge of the many other undertakings of the American Red
Cross in Italy. But I have seen enough to have formed a few general
opinions which may have a certain interest for Americans who have
contributed to the various relief funds.
PROBLEMS OF RELIEF.
The Italian government and the Italian Red Cross found
themselves, within a few days of the earthquake, in possession of
enormous sums of money. As the government had the sole access
to the afflicted districts and the sole authentic information about their
needs, it was to the government that all contributions, Italian and
foreign, were naturally sent. But there were several reasons why the
government could not immediately turn that money over to the
persons who most needed it or who could use it best.
In the first place, every consideration had to give place during the
early days before the imperative necessity of transporting troops to
the scene of disaster and of supplying them with the necessary food
and equipment. In the second place, government funds are always
particularly hard to protect from the suspicion of maladministration.
The Italian government may have remembered criticisms of the way
in which former funds had been distributed: at any rate, it determined
on this occasion to exercise all possible vigilance to prevent the
waste or misappropriation of a penny. The distrust of the Sicilians,
traditional in upper Italy, may have increased the tendency to send
supplies rather than money, and to give all orders from a single
central source. In the third place, the temporary feeding and clothing
of the destitute was a very small part of the total relief problem. The
end which the contributions must ultimately subserve was to restore
the refugee population to some kind of normal life, not merely to
keep them alive for a few months. But how to effect their
rehabilitation was a question which could not be answered until
many things were known; their numbers, for instance, the possibility
of rebuilding the ruined towns, the amount of property recoverable,
the condition of the harbors, channels, docks—a hundred facts
which only time could reveal. Whenever a general scheme should be
devised, vast sums would be required for its effectuation: till then it
was important not to disperse the accumulating contributions.
This policy of prudence and circumspection, admirable as regards
an ultimate settlement, was defective as a means of relieving
immediately the wants of scattered localities spread over two large
and more or less inaccessible regions. What was wanted in order to
supply so many needs in so many places was a system of extreme
decentralization, with large funds at the unfettered discretion of
individual agents. Such a system was incompatible with the rigid
supervision of expenditure which the government felt to be
necessary. It could not be adopted by the government. But precisely
for that reason it could be adopted with advantage by independent
and especially by foreign relief societies. By giving all their
contributions to the Italian central committee they would indeed be
helping in the general plan of rehabilitation which the central
committee was evolving, but they would not be doing the task for
which they were especially fitted and from which the central
committee was to a large extent excluded. If, on the other hand, they
entrusted their funds to agents in Sicily or Calabria, whose duty it
should be to investigate every town and every institution and to help
quickly the most useful and the most needy organizations, they
would be doing what no one else could do so well, and what no one
else had done at all.
The objection to such a policy was the risk of giving just offense to
the Italian government and people by interfering in what was
essentially an Italian concern—a problem of internal administration.
Such an objection appears to me to rest as a misconception. The
Italians might well resent, and would very likely have resented, any
interference which took the form of independent relief organizations,
with direct pecuniary assistance of individuals. As a matter of fact,
the German Red Cross hospital at Syracuse was an organization of
this kind and it aroused nothing but enthusiasm. A hospital, however,
is not like a distributing agency. What the Italians would have
objected to, and rightly, would have been any attempt on the part of
foreigners to decide Italian questions; how a given body of men
should be employed, where certain orphans should be sent, what
families should first be assisted; or to set up independent relief
bureaus to which individuals might apply, thus duplicating or
confusing the work of the Italians and opening an easy way to

Network Virtualization For Dummies Vmware 3Rd Special Edition Varun Santosh Full Chapter

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Network Virtualization For Dummies Vmware 3Rd Special Edition Varun Santosh Full Chapter

Uploaded by

Copyright:

Available Formats

Network Virtualization For Dummies®,

VMware 3rd Special Edition Varun

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO

ISBN 978-1-119-73684-4 (pbk); ISBN 978-1-119-73682-0 (ebk)

Manufactured in the United States of America

Editorial Manager: Rev Mengle Production Editor: Siddique Shaik

CHAPTER 1: Evolving to a Modern Network......................................... 3

CHAPTER 2: Virtualizing the Network...................................................... 15

Table of Contents iii

CHAPTER 4: Exploring Network Virtualization Use Cases....... 39

iv Network Virtualization For Dummies, VMware 3rd Special Edition

CHAPTER 6: Ten (Or So) Ways to Get Started with

Welcome to Network Virtualization For Dummies, your guide to a

Keeping up with modern business’s expectations is a tall order for

»» Agile and configurable enough to move as fast as the

Network virtualization can help your company realize all those

About This Book

»» You work in IT, cloud, application pipelines, or a related role

Icons Used in This Book

Take careful note of these key “takeaway” points.

Read these optional passages if you crave a more technical

Where to Go from Here

2 Network Virtualization For Dummies, VMware 3rd Special Edition

»» Building the case for network

»» Introducing the virtual cloud network

»» To stay competitive, businesses need agility to speed up time

CHAPTER 1 Evolving to a Modern Network 3

In this new world, infrastructure intelligence moves from hard-

With network virtualization enabling the software-defined data

According to the Flexera 2020 State of the Cloud Report, enterprises

4 Network Virtualization For Dummies, VMware 3rd Special Edition

Businesses need speed

When the business turns to the IT organization for essential ser-

Security requirements are rising

CHAPTER 1 Evolving to a Modern Network 5

Organizations are building security into the software develop-

Apps and data are in multiple clouds

The rise of server virtualization has made a lot of great things

Networking services also tend to be very different from one data

6 Network Virtualization For Dummies, VMware 3rd Special Edition

»» Most data centers now leverage server virtualization for the

Although many businesses are capitalizing on server and stor-

In the following sections, we walk through some of the specific

Physical network provisioning is slow

CHAPTER 1 Evolving to a Modern Network 7

Workload placement and mobility

Server and storage virtualization makes this kind of mobility

The current hardware-centric approach to networking restricts

Hardware limitations and lock-ins

8 Network Virtualization For Dummies, VMware 3rd Special Edition

»» Data center network requests commonly take days to fulfill.

Configuration processes are manual,

Certain SDN models hope to help here by allowing programmati-

CHAPTER 1 Evolving to a Modern Network 9

Clearly, there’s a better way forward: network automation. As

Operational and capital expenditures

10 Network Virtualization For Dummies, VMware 3rd Special Edition

There is also the issue of the need to overprovision hardware to be

And then there is the cost of forklift upgrades. To take advantage

You can’t leverage hybrid

But, once again, there is a network-related catch: In their quest to

Traditional firewalls aren’t adequate

CHAPTER 1 Evolving to a Modern Network 11